Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 4-2-4 – The cybersecurity requirements related to the use of hosting and cloud computing services must be reviewed periodically.
Understanding the Requirement
This control, from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework, requires organizations to treat the cybersecurity rules and expectations for hosting and cloud services as living documents: they must be reviewed on a planned cadence and updated whenever relevant laws, regulations, or business conditions change. For an SMB that means having a documented review plan (for example, an annual review), tracking regulatory changes that affect cloud usage, and recording and approving any updates so the changes are visible to management and operational teams.
Technical Implementation
-
Establish a documented review schedule and owner.
Assign a cloud/cybersecurity owner (IT manager, security lead, or outsourced provider) and document a review cadence—commonly annual. Put the schedule in a simple plan or policy document that states review frequency, required participants (IT, legal/compliance, procurement), and the decision authority for approving changes (head of organization or deputy).
-
Map your cloud and hosting inventory for targeted reviews.
Maintain an up-to-date inventory of all cloud services and hosting providers (IaaS, PaaS, SaaS, managed hosting). Include service owner, data classification, and contracts. During each review, use that inventory to prioritize checks on services that process sensitive data or whose contracts are near renewal.
-
Embed a regulatory and contract-change trigger.
Create a simple process to trigger out-of-cycle reviews: changes in laws/regulations, a new data classification requirement, a high-risk incident, or significant vendor contract changes. For SMBs, subscribe to a regulatory update feed or set a calendar reminder tied to the legal/compliance contact so changes are flagged quickly.
-
Make the policy actionable and aligned with vendor controls.
Translate policy statements into technical requirements for vendors and internal teams—encryption in transit and at rest, access control, logging and retention, backup and recovery RPO/RTO, and incident notification timelines. Include these in procurement checklists and contract clauses so reviews can verify continued compliance.
-
Document reviews and approvals with a simple sign-off workflow.
Keep an auditable record of every review: what was reviewed, what changed, who approved it, and the effective date. A shared document or lightweight ticketing workflow is sufficient for most SMBs. Ensure the head of the organization or their deputy signs off on material changes per the control.
Example in a Small or Medium Business
Atlas Design, a 45-person creative agency, uses several cloud services for email, file storage, and project management. The IT lead creates a one-page Cloud Use Policy and schedules an annual review each January. The policy owner keeps a cloud inventory spreadsheet listing each service, owner, data types processed, contract renewal dates, and basic security controls in place. When a new national data protection regulation was announced, the legal contact flagged the change and the IT lead instigated an out-of-cycle review. The team validated encryption requirements, adjusted access control settings for contractors, and updated vendor contract clauses where necessary. They documented the review outcomes in the policy document and obtained sign-off from the company director. Finally, they recorded the changes in their change log and updated the procurement checklist so future cloud purchases would default to the revised security requirements.
Summary
For SMBs, meeting ECC 4-2-4 is practical when you combine a simple written policy and review schedule with an accurate cloud inventory, a regulatory-change trigger, and a documented approval workflow. Translating the policy into vendor and technical requirements (encryption, access control, logging) and recording each review and sign-off ensures the organization's cloud security expectations stay current, auditable, and enforceable.
